I decided to upgrade my Openbsd 4.5 to 4.8, I use it only to split my internet connection using NAT. In 4.5 everything is working fine, but in version 4.8 they changed the syntax for the NAT rules in pf.conf. Here is my working 4.5 pf.conf:

Code:

# cat pf.conf
int_if="hme0"
ext_if="pppoe0"
set block-policy return
set loginterface $ext_if
set skip on lo
match on pppoe0 scrub (max-mss 1440)
nat on $ext_if from !($ext_if) to any -> ($ext_if)

I read the man pages for pf.conf and accordingly converted my ruleset to:

Code:

ext_if="pppoe0"
int_if="xl1"
set block-policy return
set loginterface $ext_if
set skip on lo
match on pppoe0 scrub (max-mss 1440)
match out on $ext_if from !($ext_if) nat-to ($ext_if)

But when I try go access the internet from another computer it doesn't work... I tried a few variant of the NAT rule and none of them worked, I also tried them on OpenBSD 4.7 and 4.8, it didn't worked in either version... Anybody have an idea of what might be the problem?

For we casual pf users, could someone explain why this worked for him?

Was it the addition of "to any" or was it that having an explicit pass rule was necessary for the nat-to property of the match rule to be used? So if you have match rules adding one of these properties (making them sticky as the man page puts it) for later pass rules, they do not get applied if you fall through to the default pass rule? Or is it that the default pass rule is effectively a prior rule, so match rules don't apply to it because the match conceptually comes after the unwritten default rule?